Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - yourfriendarmando

#1
Hi

I didn't realize the text was that mangled, it is difficult to express many FW rules at once.
I replaced it with a screenshot attached to that post.
I added the missing local_link alias referenced in this guide
I also added the comprehensive list of Dangerous ports that I prevent accessing out on the internet.
#2
Don't you have to set the FiOS router into bridge mode or similar in its web page?

That way the router just functions as a modem.
#3
Here is an excerpt of my configurations, related to DNS and NTP redirection:

DNS and NTP redirection

Goals to solve with this solution:
- Provide local DNS services to clients.
- Redirect client attempts to circumvent local DNS, back to local DNS services
- Force clients to only use DNS UDP port 53 via their IPv4 address
- Block attempts to use port DNS over TLS port 853
- Block client access, to as great extent as possible, from accessing servers known to host DNS services via any protocol.

Pre-Requisites:

Firewall :: Categories (Optional step, including Categories used below)

Automatic: [ ] Unchecked

Name            # Color
0Frequent        0084ff
ASN              e7bc98
Danger          ff0000
Danger0          ff7f7f
Danger2          fa6400
Danger3          ffeb00
Danger4          ee00ee
Excep            808080
Firewall        ffffff
Host            84542a
Ingres          00ff00
Ingres0          80ff80
Ingres2          00bf00
Local            00ffff
Net              b37e52
Port            c990dd

Firewall :: Groups (Firewall Interface Groups)

Name        Members                          Description
    My Example:
LANs        <All Local except WANs>         
LANs        ex: OoB, LAN, GST, MGT, IoT, NVR  All Local networks, excluding virtual interfaces like OpenVPN, and WANs
    Policy Approach Example:
DNScli      LAN, GST, ...                    Interface networks you want to force local DNS

Firewall :: Aliases

Name:        danger_port
Type:        Port(s)
Categories:  Danger0, Port
Content:    853
Description: Block Dangerous Egress Ports
Notes:      This is part of a list of Ports I consider dangerous to access on the Internet.
Here is the full list of ports:
20:26,69,110,111,135:139,161:162,389,445,512:514,636,853,873,1001,1433,1521,2049,3306,3385:3393,5000             

Name:        excep_local_nets_net
Type:        Network(s)
Categories:  Excep, Local
Content:    !10.0.0.0/8,!172.16.0.0/12,!192.168.0.0/16,!127.0.0.0/8,!::1/128,!127.0.0.1/32,!fc00::/7
Description: Local Default Networks Exclusion
Notes:      This list of networks are used to clean up external Block Lists.
            It is possible to receive a list with local CIDR blocks,
            and be remotely hosed from your own local networks.

Name:        danger_symm_url_aRaw
Type:        URL (IPs)
Categories:  Danger2
Content:    https://raw.githubusercontent.com/crypt0rr/public-doh-servers/refs/heads/main/ipv4.list
            https://raw.githubusercontent.com/crypt0rr/public-doh-servers/refs/heads/main/ipv6.list
            https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv4.txt
            https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv6.txt
            https://raw.githubusercontent.com/oneoffdallas/dohservers/refs/heads/master/iplist.txt
            https://raw.githubusercontent.com/oneoffdallas/dohservers/refs/heads/master/ipv6list.txt
Description: Block Symmetric URLs raw
Notes:      This is part of a list of URLs to Block lists of IP addresses.
            These IP addresses must not be accessed, and should not be accessing you.
            If you want more ports, or have your own, let's share

Name:        danger_symm_url_aGrp
Type:        Network group
Categories:  Danger2
Content:    excep_local_nets_net,danger_symm_url_aRaw
Description: Block Symmetric URL Group
Notes:      Fuses the two above lists to sanitize the input of the external block lists.
            The WANs rules to use this alias, are not discussed in this tutorial.

Name:        fw_port_svc_rdr
Type:        Port(s)
Categories:  Firewall, Port
Content:     53,123
Description: Firewall Redirect Egress Ports DNS NTP
Notes:       Confines a client from accessing a DNS or NTP server,
             A NAT rule will loop a request back to the Firewall or whatever destination you choose.

Name:        local_link
Type:        Network(s)
Categories:  Local, Net
Content:     fe80::/10,169.254.0.0/16,ff02::/16
Description: Link Local Networks


Firewall :: NAT :: Destination NAT

Description: Fwd DNS NTP to FW
Interface:  LANs, OpenVPN (Or other Interfaces, or Firewall Interface Groups you created)
Version:    IPv4          (Do NOT specify IPv6, that way it is easier to know who accesses services)
Protocol:    TCP/UDP
Source ::
  Invert Source: 
  Source Address: This Firewall
  Source Port:    any
Destination ::
  Invert Source: 
  Source Address: This Firewall
  Source Port:    [ fw_port_svc_rdr      v ]
  Pool Options:  Default
Options ::
  No RDR (NOT):  [ ]
  Log:            [ ]
  No XLMRPC Sync: [ ]
  NAT Reflection: [ Disable  v ]
  Set Tag:        [            ]
  Match Tag:      [            ]
  Firewall rule:  [ Manual    v ]

Description: Fwd NTP6 to FW
Interface:  LANs, OpenVPN (Or other Interfaces, or Firewall Interface Groups you created)
Version:    IPv6          (Do NOT specify IPv4, that is handled above)
Protocol:    TCP/UDP
Source ::
  Invert Source: 
  Source Address: This Firewall
  Source Port:    any
Destination ::
  Invert Source: 
  Source Address: This Firewall
  Source Port:    [ Single port or range  v ]
                  [ 123                    ]
  Pool Options:  Default
Options ::
  No RDR (NOT):  [ ]
  Log:            [ ]
  No XLMRPC Sync: [ ]
  NAT Reflection: [ Disable  v ]
  Set Tag:        [            ]
  Match Tag:      [            ]
  Firewall rule:  [ Manual    v ]


:::::: So far, this will cover redirecting services 53 and 123, now we block circumvention ::::::

Firewall :: Rules [New] or classic, same concept

Please see attached screenshot

Please set a CRON rule to refresh your Aliases and DNS block lists.

Please feel free to ask questions
It is probably not fool-proof 100%,
I'm always open to improvement

Sources:
- This tutorial thread https://forum.opnsense.org/index.php?topic=9245.0
- https://github.com/dibdot/DoH-IP-blocklists
- https://github.com/oneoffdallas/dohservers/tree/master
- https://github.com/crypt0rr/public-doh-servers/tree/main






#4
Quote from: colourcode on May 13, 2026, 05:09:05 PM
Quote from: yourfriendarmando on March 30, 2026, 09:50:46 PMI have it in an alias full of ports clients have no business accessing.

Mind sharing? Looking to expand :-)

Of course I would be happy to, one moment, I'll take some screenshots and get my notes. To fully (to a great extent) Isolating DNS of any form to clients takes some firewall block and NAT rules, and aliases to lock the external DNS world to everyone except the firewall
#5
I can confirm on my template firewall instances, both BE and CE,
which I use to deploy for production environments for a new sub key or a CE user.

I ran through a few tests in the hopes this helps development.

OPNsense BE 26.4_6-amd64:
No issues editing a user with a heavily modified Dashboard
No issues adding a new user with a password.
No issues editing previous user, and new user passwords.

OPNsense CE 26.1.6-amd64:
No issues editing a user with a heavily modified Dashboard.
No issues adding a new user with a password.
No issues editing previous user, and new user passwords.

OPNsense CE 26.1.7_1-amd64 :::::::::::
Cannot edit user with a heavily modified Dashboard.
No issues adding a new user with similar privileges.
No issues editing the new user with no prior Dashboard..
After resetting the Dashboard of the trouble user, the user can be edited.

Workarounds to edit the original user:
Reset the dashboard of the trouble user, and proceed to edit the user.
Edit a fresh config and insert a new password created from the passwd utility.

The problem returns immediately:
When heavily modifying the dashboard, the problem returns.
The problem desists if the dashboard is left in a default reset state.

I miss when I could import just the dashboard config, and transplant just it across multiple sites.
I noticed that option disappeared in the Backup/Restore when we moved to the improved interface.

Also please keep the Track Interface v6 / ISC DHCP v4/v6 available as long as possible or
until the feature is reproduced in whatever is the 'improved' way to do it.
From a GUI perspective it shouldn't matter what the underlying OSS Technology is,
it doesn't look good if there are like 2 or 3 competing services, and the newer ones remove features
we build infrastructure with.

It works perfectly, especially with our local few internet providers.

I am better at IT than I am sales. It is really hard to sell an underappreciated intangible like this,
especially when I encourage my clients to purchase a 3-year subscription.
Like an insurance agent sells insurance, you never appreciate it until you need it.
Life gets harder with a rug moving under us.
If I need DHCP, I just need to find DHCP services, configure my scopes, leases, prefixes etc.
I shouldn't need to worry if it's ISC, DNSMasq, Kea, CoreDHCP, Dibbler, udhcpd, wide, etc.

I think CISCO only gives you one service and handles its own underlying service.
But don't think like Cisco, think better than them.

Thank you have a great week.

Love, A3
#6
I just block outgoing access to port 853. I have it in an alias full of ports clients have no business accessing.
The alias is used in a Floating rule to block local nets from accessing ports to !local nets
#7
General Discussion / Re: Dell R620 as an OPNsense host?
February 12, 2026, 04:08:29 AM
Hmm

It should run beautifully on it.
Yes if you're going to run bare metal, DO install the OPNsense OS to a disk or disk if you have a PERC card.

I recommend using EFI instead of legacy BIOS/MBR booting.

The rest should load. For some reason whether decided by FreeBSD or Deciso devs, not all network cards will PnP and automatically load their corresponding driver.

You may need to add tunable that tells the underlying OS to load its driver for hardware like your 25Gb cards.

Definitely don't run off USB.
#8
Hi All

I love where the multiple Blocklists we are soon to get in Business Edition.
For my Community installs, there is an appreciable warning about ensuring source nets do not overlap.

When I put in all Class A, B, and C local subnets, the window should allow me to add them.
It appears to prevent me from the GUI, however, if I edit the config, and add the subnets manually.
The system will allow the setting to apply.

Can we remove the edit, but keep the warning about adding source nets of different CIDR /xy sizes?

Attached: One screenshot showing it is possible when re-writing the config file.
The other is the screen edit preventing from doing the same via the web gui.

Thanks

YFA
#9
Also, in case it hasn't been reiterated, you might want to additionally prevent devices like Android and iOS from escaping your DNS and attempting DNS over HTTP.

I recommend using a Floating rule, connected to a URL alias to v4/v6 lists, to keep those devices in check:

https://github.com/crypt0rr/public-doh-servers
https://github.com/oneoffdallas/dohservers/tree/master
https://github.com/dibdot/DoH-IP-blocklists/tree/master

Use a Firewall group to restrict your NAT and the rule above to local Interfaces and not interfere with the Firewall's ability to access DNS resources.

Here is also an older post on the matter:
https://forum.opnsense.org/index.php?topic=33931.0

Watch your Apple users start to hate you haha.
#10
General Discussion / Re: Partition or not?
January 02, 2026, 07:33:13 PM
You could put a stock FreeBSD on it, complete with its own EFI partition, then make that a sort of rescue OS for it.

I already put a copy of Memtest86+ with grub on it. The latest release, along with editing the grub.cfg file. It is now possible to enable the serial console to give it some diagnostic ability in a headless environment.

Still all of the above would still fit on a much smaller SSD. I might swap it out for an ssd of 128G or less.

Cheers

#11
For good measure,  i usually go into each interface and specify "Prevent Interface Removal"
#12
General Discussion / Re: Who uses opnsense in companies
October 23, 2024, 11:29:10 PM
I have had great success setting up a OPNsense firewall for each of my clients. I feel they are far better protected than any of the "business" solutions offered by the ISP.
#13
I think this is related,  as that error is the top of what is happening here.

I highly recommend pulling back this release before more folx upgrade their production systems

https://forum.opnsense.org/index.php?topic=43474.0
#14
Hi all

Where are we with this?

I just upgraded both, and this only happens on BE, the most up to date CE appears to be doing just fine.

It's just in my VMs. I'm glad I tried the upgrade, which both succeeded fine. I'll hang back and re-upgrade my 24.4 VM at a later time, try again and make sure it's working fine before I upgrade my main system, as well as of my subscribing clients.

Thank you
#15
There might also be tunables like this they can coerce the Intel chip to cooperate with the modules:

hw.ix.unsupported_sfp
Force Intel driver to use unsupported SFP+ modules. Def: 0             
boot-time
Set the value to: 1